react-email
Pass
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- Prompt Injection (LOW): The skill provides templates that interpolate external data into emails, creating a surface for indirect prompt injection. * Ingestion points: references/SENDING.md (props in WelcomeEmail component) * Boundary markers: Absent in provided snippets * Capability inventory: Email sending via multiple providers * Sanitization: Absent in snippets; relies on default library behavior.
- Credentials Unsafe (SAFE): Code examples correctly demonstrate the use of environment variables (e.g., process.env.RESEND_API_KEY) rather than hardcoded secrets.
- External Downloads (SAFE): References to npx and standard npm packages are consistent with the skill's intended development workflow and use well-known libraries.
Audit Metadata